%LINK-W-PORT_SUSPENDED: Port fi2/0/42 suspended by acl-deny

henrihoffmann · ‎05-09-2023

Hi,

have trouble with an CBS350 stack and some WLAN APs.

According to the log, the port fi2/0/42 was "suspended by acl-deny".

Two questions:

- Why did the firmware suspend the port, even where are no errors logged?

- Why did the firmware suspend the port, even "acl-deny Disable"?

Is there any way to understand, how this think works?

Thanks a lot

Henri

sh ver
Active-image: flash://system/images/image_cbs_ros_3.2.1.1_release_cisco_signed.bin
Version: 3.2.1.1
MD5 Digest: 937212ebf51de43330b6f7967a7445ae
Date: 13-Feb-2023
Time: 01:12:59

switch3#sh errdisable rec

Timer interval: 300 Seconds

Reason Automatic Recovery
---------------------- ------------------
loopback_detection Enable
port-security Disable
dot1x-src-address Disable
acl-deny Disable
stp-bpdu-guard Disable
stp-loopback-guard Disable
udld Enable
storm-control Enable
link-flapping Enable

untitled text 94:97: 09-May-2023 10:16:13 :%SEC-I-PORTAUTHORIZED: Port fi2/0/42 is Authorized
untitled text 94:99: 09-May-2023 10:15:48 :%STP-W-PORTSTATUS: fi2/0/42: STP status Forwarding
untitled text 94:107: 09-May-2023 10:15:43 :%SEC-W-PORTUNAUTHORIZED: Port fi2/0/42 is unAuthorized
untitled text 94:109: 09-May-2023 10:15:43 :%LINK-I-Up: fi2/0/42
untitled text 94:343: 08-May-2023 11:00:56 :%LINK-W-Down: fi2/0/42
untitled text 94:345: 08-May-2023 11:00:56 :%LINK-W-PORT_SUSPENDED: Port fi2/0/42 suspended by acl-deny
untitled text 94:517: 07-May-2023 13:39:24 :%STP-W-PORTSTATUS: fi2/0/42: STP status Forwarding
untitled text 94:519: 07-May-2023 13:39:20 :%LINK-I-Up: fi2/0/42
untitled text 94:521: 07-May-2023 13:39:14 :%LINK-W-Down: fi2/0/42
untitled text 94:523: 07-May-2023 13:39:10 :%LINK-I-Up: fi2/0/42
untitled text 94:525: 07-May-2023 13:39:08 :%LINK-W-Down: fi2/0/42
untitled text 94:527: 07-May-2023 13:39:05 :%LINK-I-Up: fi2/0/42
untitled text 94:529: 07-May-2023 13:39:00 :%LINK-W-Down: fi2/0/42
untitled text 94:605: 07-May-2023 03:21:25 :%SEC-I-PORTAUTHORIZED: Port fi2/0/42 is Authorized
untitled text 94:625: 07-May-2023 03:21:17 :%STP-W-PORTSTATUS: fi2/0/42: STP status Forwarding
untitled text 94:644: 07-May-2023 03:21:08 :%SEC-W-PORTUNAUTHORIZED: Port fi2/0/42 is unAuthorized
untitled text 94:646: 07-May-2023 03:21:08 :%LINK-I-Up: fi2/0/42
untitled text 94:775: 07-May-2023 03:20:49 :%LINK-W-Down: fi2/0/42
untitled text 94:938: 07-May-2023 03:18:25 :%LINK-W-Not Present: fi2/0/42
untitled text 94:1390: 05-May-2023 00:22:28 :%STP-W-PORTSTATUS: fi2/0/42: STP status Forwarding

switch3#sh int count fi2/0/42

Port InUcastPkts InMcastPkts InBcastPkts InOctets
---------------- ------------ ------------ ------------ ------------
fi2/0/42 157428 62077 2607 50388306

Port OutUcastPkts OutMcastPkts OutBcastPkts OutOctets
---------------- ------------ ------------ ------------ ------------
fi2/0/42 716392 6149710 2691263 1430934600

FCS Errors: 0
Single Collision Frames: 0
Multiple Collision Frames: 0
SQE Test Errors: 0
Deferred Transmissions: 0
Late Collisions: 0
Excessive Collisions: 0
Carrier Sense Errors: 0
Oversize Packets: 0
Internal MAC Rx Errors: 0
Symbol Errors: 0
Received Pause Frames: 0
Transmitted Pause Frames: 0

marce1000 · ‎05-09-2023

- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf88738

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

henrihoffmann · ‎05-09-2023

Hi Marce,

thanks, but ...

Conditions: unbind the ACL from port under traffic, and the ACL includes a deny ACE with an "disable-port" option.

Have here no ACLs defined.

Thanks again

Henri

marce1000 · ‎05-09-2023

- Try using the latest firmware for the CBS350 (stack) : check if that can help ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

henrihoffmann · ‎05-14-2023

Hi Marce,

did not help.

Henri

Active-image: flash://system/images/image_cbs_ros_3.3.0.16_release_cisco_signed.bin
Version: 3.3.0.16
MD5 Digest: 7decdf94fd5999afb7b07509896c693b
Date: 23-Mar-2023
Time: 11:37:54

14-May-2023 00:19:34 :%LINK-W-Down: fi2/0/42
14-May-2023 00:19:32 :%LINK-W-PORT_SUSPENDED: Port fi2/0/42 suspended by acl-deny

henrihoffmann · ‎06-27-2023

It happens again and again....

2023-Jun-27 07:00:19

%LINK-W-PORT_SUSPENDED: Port fi2/0/44 suspended by acl-deny

henrihoffmann · ‎07-04-2023

carlxjones · ‎11-26-2024

Just happened to me as well. I have no ACLs set on the switch. The stack disabled two ports for ACL Deny. Oddly enough, one of the ports that got shutdown was vacant and has never had anything plugged into it. Running firmware 3.4.0.17.

havenmAries · ‎12-04-2024

I have a couple of questions regarding this issue:

Why did the firmware suspend the port when there are no other errors logged?
Why was the port suspended even when the "acl-deny Disable" command is configured?

I am trying to understand how this behavior works and would appreciate any insights or explanations.